[10231] in cryptography@c2.net mail archive
Re: password-cracking by journalists... (long, sorry)
daemon@ATHENA.MIT.EDU (Arnold G. Reinhold)
Tue Jan 22 11:01:06 2002
Mime-Version: 1.0
Message-Id: <v04210105b8726bebc9d1@[192.168.0.2]>
In-Reply-To: <5.1.0.14.0.20020121161033.00a07360@netmail.home.net>
Date: Tue, 22 Jan 2002 10:27:21 -0500
To: Will Rodger <wrodger@pobox.com>,
Steve Bellovin <smb@research.att.com>, cryptography@wasabisystems.com
From: "Arnold G. Reinhold" <reinhold@world.std.com>
Content-Type: text/plain; charset="iso-8859-1" ; format="flowed"
Content-Transfer-Encoding: quoted-printable
At 5:16 PM -0500 1/21/02, Will Rodger wrote:
>Arnold says:
>
>>You can presumably write your own programs to decrypt your own=20
>>files. But if you provide that service to someone else you could=20
>>run afoul of the law as I read it. The DMCA prohibits trafficking=20
>>in technology that can be used to circumvent technological=20
>>protection measures. There is no language requiring proof than=20
>>anyone's copyright was violated. Traffic for hire and it's a=20
>>felony.
>
>I think there's a good argument to the contrary.
>
>The DMCA only bans trafficking in devices whose _primary_ purpose is=20
>infringement.
No, DMCA bans trafficking in devices whose primary purpose is=20
*circumvention.* I'm not trying to nit pick, it's an important=20
point. DMCA creates a whole new class of proscribed activity,=20
circumvention, that does not require proof of infringement.
As for the phrase "primary purpose," I can easily see a judge=20
accepting the argument that the primary purpose of a tool that breaks=20
encryption is circumvention as defined in this act. In the 2600 case,=20
the defense argued that DeCSS was also useful for playing purchased=20
DVDs on Linux machines and for fair use. The courts dismissed this=20
argument.
>And it only applies to works "protected by this Title," that is,=20
>Title 17, which is the collection of laws pertaining to copyright.
Right, but just about everything written today is copyrighted from=20
the moment of creation. You have to go out of your way (or work for=20
the U.S. government) to place new works in the public domain.
>
>There was a very long, drawn out discussion of what would be banned=20
>and what not before passage. It included all sorts of people=20
>traipsing up to Capitol Hill to make sure that ordinary research and=20
>system maintenance, among other things, would not be prosecuted.=20
>Bruce Schneier was among those who talked to the committees and was=20
>satisfied, as I recall, that crypto had dodged a bullet. I'm not=20
>saying that Bruce liked the bill, just that this particular fear was=20
>lessened greatly, if not eliminated, by the language that finally=20
>emerged.
I've heard that story as well. I don't know if he saw the final=20
language, how long he had to study it or what he based that opinion=20
on. Maybe there is some statement in the legislative history, which=20
is only what the legislators said about the bill, that might be=20
helpful in court. Absent that, we have to rely on what the law=20
actually says. Bruce's opinion of what the law means would carry no=20
weight in court.
>
>>Now a prosecutor probably wouldn't pursue the case of a=20
>>cryptographer who decoded messages on behalf of parents of some kid=20
>>involved in drugs or sex abuse. But what if the cryptographer was=20
>>told that and the data turned out to be someone else's? Or if the=20
>>kid was e-mailing a counselor about abuse by his parents? Or the=20
>>government really didn't like the cryptographer because of his=20
>>political views?
>
>It all gets down to knowingly doing something, right? If our=20
>cryptographer acted in good faith, he wouldn't be prosecuted -- the=20
>person who set him up would be.
I see nothing in the law that exempts you from liability if you=20
didn't know you acted without authorization of the copyright holder.=20
There is a provision, 1203(c)(5), that lets a court reduce reducing=20
civil damages if you didn't know. That presumably does not apply to=20
the criminal provisions and prosecutors are notorious for doing=20
whatever it takes if they want to get someone. See, for example=20
http://www.nytimes.com/2002/01/21/nyregion/21CLEA.html
>
>
>>There is also the argument that Congress only intended to cover=20
>>tools for breaking content protections schemes like CSS and never=20
>>intended to cover general cryptanalysis. You might win with that=20
>>argument in court (I think you should), but expect a 7 digit legal=20
>>bill. And if you lose, we'll put up a "Free Will" web site.
>
>No argument there!
>
>>>>As for the legal situation before the DMCA, the Supreme Court=20
>>>>issued a ruling last year in a case, Barniki v. Volper, of a=20
>>>>journalist who broadcast a tape he received of an illegally=20
>>>>intercepted cell phone conversation between two labor organizers.=20
>>>>The court ruled that the broadcast was permissible.
>>>
>>>The journalist received the information from a source gratis.=20
>>>That's different from paying for stolen goods, hiring someone to=20
>>>eavesdrop, or breaking the law yourself. The First Amendment=20
>>>covers a lot, in this case.
>>
>>Correct. The Barniki opinion pointed out that the journalists were=20
>>not responsible for the interception. But journalists receive=20
>>purloined data from whistle-blowers all the time. Suppose in the=20
>>future it was one of those e-mail messages with a cryptographically=20
>>enforced expiration date? A journalist who broke that system might=20
>>be sued under DMCA. That possibility might not frighten the WSJ,=20
>>but what about smaller news organizations?
>
>
>Fair enough. But what would the damages under copyright law be? They=20
>generally correspond to a harm in the market for a certain kind of=20
>information. I don't see a value for a single email on the open=20
>market except as a trade secret, say. But then you're back into=20
>First Amendment territory, as well as the vagaries of state=20
>trade-secret laws (There's no such thing in federal law). One of the=20
>failings of the federal law is that it does give unethical people=20
>room to tie up the courts. Nothing new there...
Again, there is this new offence called circumvention. You don't=20
need to prove infringement or trade secrets. There are statutory=20
damages (1203(c)(3)(A)), $200 to $2500 per act of circumvention "as=20
the court considers just," plus you can be assessed the legal=20
expenses of the other side. But the real kicker is that circumvention=20
for hire is a felony.
>
>
>>>>So the stolen property argument you give might not hold. The=20
>>>>change wrought by the DMCA is that it makes trafficking in the=20
>>>>tools needed to get at encrypted data, regardless whether one has=20
>>>>a right to (there is an exemption for law enforcement) unlawful.
>>>
>>>There's language governing that in the statute. Trafficking in=20
>>>tools specifically designed to break a given form of copy=20
>>>protection is one thing. The continued availability of legal tools=20
>>>for cryptanalysis and legitimate password cracking is another. As=20
>>>bad as the DMCA is, it's not _that_ bad.
>Arnold replied:
>
>>I've read the statute very carefully and I never found such=20
>>language. (You can read my analysis at=20
>>http://world.std.com/~reinhold/DeCSSamicusbrief.html) It's=20
>>certainly possible that I overlooked something. Perhaps you could=20
>>cite the language you are referring to?
>
>Sure.
>
>In Section 1204, we see reference to "works protected by this=20
>title." The DMCA as enacted is part of Title 17, which is=20
>specifically copyright laws. Copyright law in the US gives a person=20
>access to his own work
>and also allows for fair use _as defined by the courts_.=20
>Pro-consumer types failed to get language reminding the reader that=20
>fair use still applied. Drafters argued that would have been=20
>redundant. See ulterior motives here, if you want.
Ulterior motives or no, it's not in the law. Judge Kaplan and the=20
Court of Appeals for the 2nd Circuit flatly rejected fair use=20
arguments in the 2600 case. The 2nd Circuit wrote "Fair use has=20
never been held to be a guarantee of access to copyrighted material=20
in order to copy by the fair user's preferred technique or in the=20
format of the original."
>
>Anyway, the DMCA as enacted (with my emphasis in caps) says in=20
>Chapter 12, Sec. 1204:
>
>=91=91(2) No person shall manufacture, import, offer to the public,=20
>provide, or otherwise traffic in any technology, product, service,=20
>device, component, or part thereof, that=97
>
>=91=91(A) is PRIMARILY designed or produced for the purpose of=20
>circumventing a technological measure that effectively controls=20
>access to a work PROTECTED UNDER THIS TITLE;
Again just about any work produced today is copyrighted and therefore=20
protected under this title.
>
>=91=91(B) has only limited commercially significant purpose or use other=20
>than to circumvent a technological measure that effectively controls=20
>access to a work protected under this title; or
>
>=91=91(C) is marketed by that person or another acting in concert with=20
>that person with that person=92s knowledge for use in circumventing a=20
>technological measure that effectively controls access to a work=20
>protected under this title."
>
>All those references to works protected under this title do nothing=20
>to keep you from getting at your own stuff. The rest of the language=20
>also tells you if you want to use a copy of Crack to get to some of=20
>your own system files, well, go ahead.
I agree that you can get at your own work. I said you might be over=20
the line if you help someone else get at their stuff, especially if=20
you get paid for it. In drafting this reply, I found a footnote (14)=20
in the Second Circuit's 2600 opinion that suggests such assistance=20
*is* permissible:
"When read together with the anti-trafficking provisions, subsection=20
1201(a)(3)(A) frees an individual to traffic in encryption technology=20
designed or marketed to circumvent an encryption measure if the owner=20
of the material protected by the encryption measure authorizes that=20
circumvention."
I am not a lawyer, but I think this might be considered "dicta,"=20
statements in a court opinion that are not necessary to the decision,=20
and lack binding precedential value. There is also the question of=20
what "owner" means. Still, it is encouraging.
>Now, you're probably thinking "ah hah! He didn't clear up the=20
>problems with the 'primary purpose' stuff." But not quite. We have a=20
>right to use our VCRs today because a court has already ruled that a=20
>VCR's primary purpose is not piracy. So far, the courts have=20
>understood "primary purpose" to mean "This purpose and pretty much=20
>no other."
As I pointed out above, other uses arguments have not gotten anywhere=20
in court to date with respect to DMCA.
>Can we quibble about this? Absolutely. But I haven't heard anyone=20
>come up with a good way of saying that your system maintenance tools=20
>are legitimate, except to say that they are primarily _not_ for=20
>breaking in to others' machines. Still, who uses sniffers more, sys=20
>admins or the bad guys? I bet the latter, on any given day.
DMCA is much more broadly written than 18 USC 1030, which deals with=20
breaking into others' machines.
>
>All that said, one would still want some language making clear that=20
>what researchers do is OK. The statute does it, more or less,=20
>through provisions for research in Chapter 12, Sec. 1201:
I would say less. See my comments below and my amicus brief=20
http://world.std.com/~reinhold/DeCSSamicusbrief.html, which the=20
Second Circuit ignored.
>
>=91=91(g) ENCRYPTION RESEARCH.=97
>
>=91=91(1) DEFINITIONS.=97For purposes of this subsection=97
>
>=91=91(A) the term =91encryption research=92 means activities necessary to=
=20
>identify and analyze flaws and vulnerabilities of encryption=20
>technologies applied to copyrighted works, if these activities are=20
>conducted to advance the state of knowledge in the field of=20
>encryption technology or to assist in the development of encryption=20
>products; and
This applies to research, not other uses of cryptoanalytic technology.
>
>=91=91(B) the term =91encryption technology=92 means the scrambling and=20
>descrambling of information using mathematical formulas or=20
>algorithms.
>
>
>=91=91(2) PERMISSIBLE ACTS OF ENCRYPTION RESEARCH.=97Notwithstanding the=20
>provisions of subsection (a)(1)(A), it is not a violation of that=20
>subsection for a person to circumvent a technological measure as=20
>applied to a copy, phonorecord, performance, or display of a=20
>published work in the course of an act of good faith encryption=20
>research if=97
>
>=91=91(A) the person lawfully obtained the encrypted copy, phonorecord,=20
>performance, or display of the published work;
Save that receipt.
>
>=91=91(B) such act is necessary to conduct such encryption research;
The judge is looking over your shoulder.
>
>=91=91(C) the person made a good faith effort to obtain authorization=20
>before the circumvention; and
You have to ask permission and expose your self to possible legal=20
action. Has anyone here actually tried to get permission from a=20
copyright owner to attempt to break encryption?
>
>=91=91(D) such act does not constitute infringement under this title or=20
>a violation of applicable law other than this section, including=20
>section 1030 of title 18 and those provisions of title 18 amended by=20
>the Computer Fraud and Abuse Act of 1986.
>
>=91=91(3) FACTORS IN DETERMINING EXEMPTION.=97In determining whether a=20
>person qualifies for the exemption under paragraph (2), the factors=20
>to be considered shall include=97
The phrase "factors to be considered" means each situation requires a=20
separate, time consuming and expensive determination by a court.
>
>=91=91(A) whether the information derived from the encryption research=20
>was disseminated, and if so, whether it was disseminated in a manner=20
>reasonably calculated to advance the state of knowledge or=20
>development of encryption technology, versus whether it was=20
>disseminated in a manner that facilitates infringement under this=20
>title or a violation of applicable law other than this section,=20
>including a violation of privacy or breach of security;
If you publish too many details, you may lose your research exemption.
>
>=91=91(B) whether the person is engaged in a legitimate course of study,=20
>is employed, or is appropriately trained or experienced, in the=20
>field of encryption technology; and
I trust everyone's credentials are in order.
>
>=91=91(C) whether the person provides the copyright owner of the work to=20
>which the technological measure is applied with notice of the=20
>findings and documentation of the research, and the time when such=20
>notice is provided.
You have to give them another opportunity to sue before you publish.
>=91=91(4) USE OF TECHNOLOGICAL MEANS FOR RESEARCH ACTIVITIES.=20
>=97Notwithstanding the provisions of subsection (a)(2), it is not a=20
>violation of that subsection for a person to=97
>
>=91=91(A) develop and employ technological means to circumvent a=20
>technological measure for the sole purpose of that person performing=20
>the acts of good faith encryption research described in paragraph=20
>(2); and
>
>=91=91(B) provide the technological means to another person with whom he=20
>or she is working collaboratively for the purpose of conducting the=20
>acts of good faith encryption research described in paragraph (2) or=20
>for the purpose of having that other person verify his or her acts=20
>of good faith encryption research described in paragraph (2)."
Not that there is nothing in the above two paragraphs that permits=20
one to *publish* the results of the research.
>
>Note that all this leaves Ed Felten's recent work in the clear. It=20
>also explains why the RIAA soiled its legal briefs when faced with=20
>_his_ lawyers in court.
=46elton was threatened for attempting to publish his work, not for=20
doing the research. Again, there is no language in the law that=20
authorizes publication. I don't know what the RIAA was thinking, but=20
they were on shaky First Amendment grounds and probably did not want=20
to lose an early test of the law. If the law is upheld elsewhere,=20
they may get bolder.
>
>-------------------------
>
><Phew!>
>
>OK. so that's my rap on why this law is bad but won't likely put=20
>anyone on this list in jail. The biggest problem, I think, is not=20
>its prohibitions but the legal cudgel it gives to certain people who=20
>would like to silence others.
>
>If this is the looming disaster many of us feared (I'm talking about=20
>stuff much worse than the DeCSS cases here) it should have fallen on=20
>us by now. The fact that it hasn't gives me hope. Maybe I'm just too=20
>naive!
>
>Will
I agree with you that the law ought not to apply to ordinary=20
cryptographic activity and that it should be unconstitutional if it=20
does. But the law can be read the other way and it has survived=20
unscathed so far. Add to that the post Sept 11 attitude of accepting=20
greater restrictions on personal liberty and the likelihood of=20
further incidents of alleged crypto use by terrorists, drug dealers=20
and pornographers, and I think there is a real danger that it may be=20
used against cryptographers.
The Second Circuit's 2600 ruling is particularly troublesome in this=20
regard since it allows software to be proscribed based on the=20
functional effect it can have on computer systems, not withstanding=20
the fact that it is speech. If that ruling is upheld, we might see=20
the enemies of open cryptography become more aggressive.
I'm not suggesting that anyone panic or stop their research and=20
publication. But people should be aware of the risk, get competent=20
legal advice and at least take care to document in writing situations=20
where they believe they are breaking encryption systems with the=20
owner's permission.
Arnold Reinhold
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
